Abstract

Algebraic transition systems are extended from labeled transition systems by allowing transitions labeled by algebraic equations for modeling more complex systems in detail. We present a deductive approach for specifying and verifying algebraic transition systems. We modify the standard dynamic logic by introducing algebraic equations into modalities. Algebraic transition systems are embedded in modalities of logic formulas which specify properties of algebraic transition systems. The semantics of modalities and formulas is defined with solutions of algebraic equations. A proof system for this logic is constructed to verify properties of algebraic transition systems. The proof system combines with inference rules decision procedures on the theory of polynomial ideals to reduce a proof-search problem to an algebraic computation problem. The proof system proves to be sound but inherently incomplete. Finally, a typical example illustrates that reasoning about algebraic transition systems with our approach is feasible.

1. Introduction

System verification requires a mathematical structure on which the system in question is described precisely. Labeled transition systems [1] are such structures proposed for this purpose, which are widely used to specify hardware and software systems [2], for example, integrated circuit system, communication protocols, and concurrent algorithms. A labeled transition system is a specified transition system (first presented by Keller [3]) whose transitions are labeled by abstract labels. Abstract labels are sufficient for modelling atomic actions which trigger transitions of systems, but they are insufficient to describe enough details on transitions of complex systems. For instance, we concern much with the details on how a train reduces its speed in the brake mode, which is usually specified by mathematical equations.

Algebraic transition systems [4] are extended from labeled transition systems by labeling transitions with algebraic assertions, which are conjunctions of polynomial equations. Transitions labeled with algebraic assertions are able to describe how states change according to those polynomial equations. That is very necessary for modelling complex systems. What is more significant is that many mathematical techniques on polynomials are available to the analysis of complex systems, such as the theory of polynomial ideals [5]. On the other hand, conventional methods are not competent for the verification for algebraic transition systems due to the complexity of algebraic assertions. To the best of our knowledge, there is no approach for reasoning about algebraic transition systems. Our study is motivated mainly by this.

Our approach is related to theorem proving which is a well-established verification method of labeled transition systems. The theorem proving method [6, 7] tries to find a proof of the desired property, which is written as a theorem in logic languages. Another verification method, called model checking, uses a finite-state traversal technique algorithm [8, 9]. Hence model checking method automatically checks whether a given system satisfies the desired properties by traversing the state space of the system. However, model checking requires systems to be finite-state systems or those systems whose state space can be divided into finite quotient subspaces [10, 11]. While theorem proving method is not restricted by finite-state systems and hence applies to complex systems, most of which have infinite state spaces. Since the state spaces of algebraic transition systems are defined on which is infinite, we choose theorem proving method to verify of algebraic transition systems.

Inspired by [4, 12–14], we present a deductive approach for specifying and verifying algebraic transition systems. Our approach includes a modification of dynamic logic () and a proof system for . The is extended from dynamic logic [15] by allowing algebraic equations in modalities. There are two standard modalities and where is defined with algebraic equations. The refers to the states reachable by all runs of , while indicates the states reachable by some runs of . The formal semantics of modalities is defined with zero sets of polynomials. These modalities embedded in logical formulas are used to model behaviors of algebraic transition systems. The properties of algebraic transition systems are specified with formulas. The satisfaction of formulas is defined with zero sets of polynomials and the semantics of modalities. For deciding whether the desired properties are satisfied, a proof system of the sequent-calculus style, called calculus, is constructed. This proof system aims to find a proof of the desired properties with inference rules. Several special rules are customized to handle modalities with algebraic equations by reducing the proof-search problem to an algebraic computation problem. The algebraic computation procedures enhance the reasoning power of our proof systems. The proof system is proved to be sound but inherently incomplete as many other proof systems. Reasoning about algebraic transition systems with our approach is demonstrated with a typical example.

In recent decades, the deductive approach for specifying and verifying transition systems has received fruitful results [16]. [17] is a specification language designed by Lamport for formally describing and reasoning about distributed systems. Systems are specified in as formulas of the Temporal Logic of Actions (TLA) [6], which is a variant of temporal logic. The proof system (TLAPS) [18, 19] is a general platform for development of proofs. A whole proof in TLAPS is decomposed into a collection of subproofs which are sent to backend verifiers including SMT solvers, theorem provers, and proof assistants. Compared with and TLAPS, our approach is designed for the direct proof of properties on algebraic transitions. With our approach the proof problem is reduced to an algebraic computation problem such as the ideal membership problem on ideal theory. Our proof system can be considered as a backend verifier of TLAPS for algebraic transition systems.

Combined with mathematical procedures, the deductive approach can be used for the verification of more complex systems, for example, real-time systems and reactive systems [20–22]. Platzer [12, 23] developed a deductive framework for the verification of hybrid systems, which are dynamic systems containing continuous evolutions and discrete transitions. A discrete transition in [12] is specified as an explicit assignment of a variable. For instance, the primed variable in the discrete transition , which assigns the value of to , can be immediately eliminated by a replacement with . In contrast, a transition in algebraic transition system is modelled as an algebraic equation. Consider the transition as an example. The primed variable in this transition will be directly eliminated only if can be equivalently written as a polynomial on , such as . In most cases, the transitions in algebraic transition systems generalise the discrete parts of hybrid systems. Algebraic transition systems cannot simply be seen as subsets of hybrid systems and therefore are not covered by usual methods. Somehow our approach can be considered as a complement to usual methods for verifying complex systems.

The rest of this paper is organized as follows. Section 2 presents some preliminary concepts and some theorems which lie in the core of our approach. We introduce our understanding of algebraic transition systems in Section 3. The algebraic modification of dynamic logic is described in Section 4. In Section 5 we construct a proof system for this logic and prove the soundness and inherent incompleteness of the proof system in Section 7. Our approach is illustrated by reasoning about a train control system in Section 6. Section 8 concludes with some ideas for future work.

2. Preliminary

In this section, we introduce several important conclusions on polynomial ideal theory, which lie in the core of our approach.

We begin with the concepts of polynomials and ideals. Let be the set of natural numbers including 0, the set of reals, and the set of complex numbers obtained as the algebraic closure of the reals. Let be a set of variables. The set of polynomials on the variables, whose coefficients are drawn from the reals, is denoted by .

Definition 1 (zero set). Let be a polynomial on ; the zero set of , denoted by , is the set of points in the complex plane such thatwhere is obtained from by replacing all variables with the elements of the point .

We write instead of when the variables are understood in the context. Let be a finite set of polynomials over ; its corresponding zero set is defined asWe say the polynomial vanishes at the set if for all .

Definition 2 (ideals). A subset is an ideal, if and only if(1);(2)for all , , ;(3)if and , then , where indicates the product of polynomials , .

An ideal generated by a set of polynomials , denoted by , is the smallest ideal containing and equivalentlyThe ideal is said to be finitely generated if the set is finite. Hilbert’s basis theorem says that every ideal in is finitely generated.

The basic relation of an ideal and its generators is that they have the same zero set according to the following theorem.

Theorem 3. Given an ideal generated by , then the zero set of and the zero set of are the same:

Proof. (1) Since , we immediately conclude that . That is, (2) Conversely,

Definition 4 (radical ideal). Let be an ideal. The radical of , denoted by , is the set

The following theorem asserts a significant relation between zero sets and ideal membership, which is the underlying algebraic principle of axiom rules in Section 5.

Theorem 5. Given and , if there is an integer such that , that is, , then vanishes at the zero set of ; that is, . Equivalently,

Proof. This theorem immediately corresponds to one direction of the famous theorem called Hilbert’s Nullstellensatz. The proof of Hilbert’s Nullstellensatz can be found in [5].

A fundamental question in ideal theory is checking whether a given polynomial belongs to the radical of an ideal, which is known as radical membership problem. This problem involves the following theorem.

Theorem 6. Let be a polynomial and let be an ideal. Then belongs to the radical of the ideal if and only if the constant belongs to the ideal ; that is,where is a new variable different from .

Proof. A proof of this theorem can be found in any standard text on ideal theory (see Proposition 8 in [5]).

The core of solving radical membership problem requires a special kind of generators, called reduced Gröbner basis. Every ideal of has a unique finite reduced Gröbner basis [24]. To determine if , we compute the reduced Gröbner basis of the ideal . If the result is , then . Otherwise, .

Another application of reduced Gröbner basis, shown by the following theorem, is deciding whether there exists a zero set for a finite set of polynomials.

Theorem 7. Let be a finite set of polynomials and the reduced Gröbner basis for . Then has an empty zero set if and only if ; that is, .

Proof. A proof of this theorem can be found in Corollary 4.3.7 in text [24].

3. Algebraic Transition Systems

In this section, we demonstrate how algebraic assertions enrich the abstract labels of labeled transition systems.

Definition 8 (algebraic assertions). An algebraic assertion over the set of variables is defined as a finite union of polynomial equations of the formwhere, for each , .

For an algebraic assertion , its zero set is defined asWe say that a point satisfies , denoted by , if belongs to the zero set of ; that is, .

An algebraic transition system is specialized from a labeled transition system. Each transition of an algebraic transition system is labeled with an algebraic assertion instead of an abstract label.

Definition 9 (algebraic transition system). An algebraic transition system is a tuple , where (i) is the set of states;(ii) is the set of transitions;(iii) is a set of algebraic assertions on including the null label ;(iv) is a label function assigning each transition to an algebraic assertion.

For an algebraic transition system , a state is a function which maps each variable in to a real. According to the label function , each transition is labeled with an algebraic assertion denoted by . The algebraic assertion is defined on , where denotes the current-state variables and denotes the next-state variables.

The transition relation of , which describes how states change, is defined by algebraic assertions on . For each , the transition relation is determined by the label as follows:where , indicate the current state and the next state, respectively, and is evaluated by substituting each variable of with the corresponding value in and each variable with the corresponding value in , respectively. In particular, the null label specifies an identical relation on ; that is, . The transition labeled by from to is denoted by .

An algebraic transition system is deterministic if there is at most one transition and one label for any state; otherwise it is nondeterministic. As for a deterministic algebraic transition system, the next state is determined uniquely by the current state. For instance, given an algebraic assertion , the next state is obtained by adding 1 to the variable in the current state. We say the transition labeled by is deterministic and nondeterministic if (because the next state can take or ). Obviously, an algebraic transition must be deterministic if for all each variable in can be written as a unique polynomial over . In this case, each algebraic assertion can be written as with each and . Hence the value of each variable in the next state is uniquely determined by in the current state according to .

Definition 10 (run). Given an algebraic transition system , a run of is defined by a sequence of transitions as follows:where the th element of is denoted by and for each there exists a transition from state to state such that

Example 11. In order to illustrate algebraic transition systems, we present a simplified train control system shown in Figure 1. Assume that a train has two modes: the acceleration mode () and the deceleration mode (). The train keeps checking the current mode and velocity. If it is in mode and its velocity reaches , it will invert the acceleration power () and change its mode to mode . Then the position of the train evolves with velocity along and . If the velocity of the train slows down to in mode , it will invert its deceleration power () and switch to mode . Compared with real-time systems and hybrid system, the behavior of algebraic transition systems is discrete, such as the discrete behavior of the train with time period . Note that we use the relaxed version of algebraic assertions. For instance, we write as the relaxed version of . The and can be any certain constants.

Figure 1: A simple train control system.

In contrast with classical labeled transition systems with abstract labels [3], algebraic transitions systems are widely useful for modeling data flows, due to algebraic assertions describing how data changes between states in detail. What is more significant is that the introduction of concepts on ideal theory leads to the presence of more powerful and efficient algebraic methods for reasoning about complex systems.

4. Algebraic Dynamic Logic

In this section, we present algebraic dynamic logic (), in which algebraic transition systems are modeled as modalities by modifying first-order dynamic logic. Properties about the behavior of algebraic transition systems can be expressed as formulas. After introducing the syntax of algebraic programs and formulas, we define an algebraic semantics of , according to algebraic transition systems as mentioned in Section 3.

4.1. Syntax

The formulas of are strings built over a finite set of real-valued variables and a signature consisting of function symbols, predicate symbols, and constant symbols. In algebraic dynamic logic, modalities are extended to algebraic programs which are the combination of algebraic assertions and operational connectives.

Definition 12 (algebraic programs). The set of algebraic programs is defined inductively as follows. (i)If is an algebraic assertion on defined in Definition 8, then the assignment is an algebraic program.(ii)If is an algebraic assertion on , then the guard is an algebraic program.(iii)If and are algebraic programs, then the sequential composition .(iv)If and are algebraic programs, then the nondeterministic choice .(v)If is an algebraic program, then the iteration .

As previously mentioned, the effect of an assignment is specified as a transition relation of algebraic transition systems. Furthermore, each of simultaneously takes place to change the current state. Assignments in computer programming languages are special cases of algebraic assertions since each next-state variable can easily be written as a unique polynomial in current-state variables according to assignment statements. The guard is used to check whether the subsequent transition is possible. For the guard of , the program is allowed to happen, only when is satisfied in the current state. Not all programs need a guard. Any program without a guard always takes place. The program says that is executed after doing . The program means that one of and is nondeterministically chosen and executed, and the program says that is executed some finite number of times.

Due to the operational structure of programs in standard dynamic logic [15], an algebraic transition system can be translated into an algebraic program without effort. Algebraic programs encode algebraic transition systems into modalities of formulas, which specify properties of algebraic transition systems according to the following definition.

Definition 13 (formulas). The set of formulas is obtained inductively as follows. (i)If is a polynomial defined over , then is an atomic formula.(ii)If , then .(iii)If and , then , .(iv)If and , then .

The existential quantification can be defined with universal quantification and is abbreviated to . The relation between and is . The formula expresses that all runs of program lead to the states on which the formula holds. Likewise, means that there exists at least a run of program after which the formula holds. As for and , the algebraic program plays the role of encoding an algebraic transition system, while claims that behavior of the algebraic transition system satisfies the property specified by . For example, the formula asserts that there exists a run during the loop of such that reaches eventually.

Variables occurring in the scope of the quantifiers and are bound to quantifiers, and variables of occurring in modalities are bound to modalities. Variables are free if they are not in the scope of quantifiers and modalities. We assume that all variables are not bound to both of quantifiers and modalities at the same time. The interaction of quantifiers , and modalities , makes the formulas subtle. Particularly, the order of quantifiers occurring before and after modalities makes the understanding of formulas slightly different. For instance, means that all the choices of the parameter valued to keep true. However, for , the variable in is free and different from in which is a parameter and can be substituted with another variable symbol not occurring in . The way of unifying quantification and modalities in [15] is using a special wildcard assignment to redefine quantification such that and , where the wildcard assignment indicates an arbitrary assignment to .

Example 14. We formalize the train control system shown in Figure 1 into the following algebraic program:whereWe use nondeterministic choice to join and together. In the phase of , it tests whether the current mode is and then checks whether the current velocity reaches . If so, the mode switches to and the acceleration power is inverted. The subsequent action is executing in which the velocity and the position evolve along and , respectively. The phase of is similar to . The control system repeats for indefinitely many times (or forever).Furthermore, we express properties of the train control system as formulas. For instance, the following statement about the train control system “the velocity of the train never reaches 11” is equivalently expressed as the formula

4.2. Semantics

The semantics of is defined in the fashion of Kripke [25], where possible worlds represent states of algebraic transition systems and transition relations along the runs of algebraic transition systems are represented as the accessibility relation.

For the set and signature , an interpretation is a map, which maps each function symbol in to an algebraic assertion on and each predicate symbol in to an algebraic assertion on . A state is a map assigning a real value in to each state variable in whose value is only changed by algebraic programs. The free variables in are mapped to the reals by an assignment . These variables are also named logical variables. There is no need to distinguish logical variables and state variables except for the clarity of expressions.

The semantics of an algebraic program is interpreted as a transition relation consisting of pairs of states, while the satisfaction of an formula is interpreted as a Boolean value by a state with respect to an interpretation and an assignment. We begin with the semantics of algebraic programs.

Definition 15 (semantics of algebraic programs). For each algebraic program , its semantics, denoted by , specifies the state which is reachable from the state under the operation of . is inductively defined as follows. (i) if , where is an algebraic assertion on .(ii) if , where is an algebraic assertion on .(iii) and , for some state .(iv).(v) if and only if there is a and a state sequence , with for all .

Note that the semantics of an algebraic program is defined according to zero sets of the algebraic assertion. Let be an algebraic program with the algebraic assertion on ; the semantics of is the common zero set of all . For example, the semantics of is the set of points lying on the two lines and in the plane. There may exist more than one successive state for the current state. In most cases, the successive states of a given state are uniquely determined by algebraic programs. The guards in the form of are associated with those states which satisfy the algebraic assertion for triggering the next program. An iteration points out all states reachable from the state by successively executing nondeterministically many times (zero or more).

The satisfaction of an formula involves an interpretation , an assignment , and a state . For a formula , we write and say that and satisfy in or that is true in state with respect to and . We omit , and write when and are understood in the context. The notation means that does not satisfy . We use to denote the modification of the assignment that agrees with except for the variable which is amended to .

Definition 16 (satisfaction of formulas). For two formulas and , the satisfaction is inductively defined according to the syntactic structure of and . (1) if and only if .(2) if and only if .(3) if and only if and . Similarly, for , .(4) if and only if for all .(5) if and only if for some .(6) if and only if for all states with .(7) if and only if for some state with .

A formula is valid in and written as if is true on all states and all assignments in interpretation . If for all interpretations , we write and say that is valid.

After giving the semantics of algebraic dynamic logic, in order to prove the validity of formulas, such as (17), we construct a proof system for in the next section.

5. Proof System

In this section, we construct a sequent calculus for algebraic dynamic logic. In a sequent calculus a sequent is an expression of the form , where the antecedent and the succedent are finite sequences of formulas. The meaning of is equivalently expressed as the following formula:That is to say, a sequent is satisfied by a state if and only if . Equivalently, makes the sequent false if makes all true and all false.

An inference rule is of the formwhere both and are sequents. The upper sequents are called premises and the lower sequent is called conclusion. The semantics of an inference rule is that each state satisfying all premises also makes the conclusion true. The direction of entailment is top-down which means that premises logically imply the conclusion, while the direction of applying rules is bottom-up. That means that the procedure of reasoning about a sequent starts from the conclusion at the bottom to the premises at the top.

The proof system, called calculus, is constructed by customizing inference rules which manipulate formulas in an algebraic fashion. The basic idea is evaluating the effects of algebraic programs with algebraic methods mentioned in Section 2 and transforming formulas into first-order formulas without algebraic programs. calculus consists of axiom rules, rules for logical operators, rules for quantifier, rules for modalities, and programs.

5.1. Rules for Axioms

In this and the following sections, the symbols , denote arbitrary sequences of formulas and , denote formulas unless otherwise noted.

Four basic rules listed in , named axiom rules, are composed for closing a proof search. Rules are the same as in many other sequent calculus. The axiom rule treats a sequent with a common formula in the antecedent and the succedent as an axiom, which can be inferred from nothing (denoted by ):In , and are atomic formulas which are expressed as polynomials in variables of , and .

Rule is customized to coordinate mathematical procedures on ideal theory implemented by computer algebra systems, such as REDUCE, Maple, Mathematica, AXIOM, and SINGULAR. Rule reveals that any sequent whose antecedent has a formula with its zero set included by the zero set of one formula of the succedent can be applied as an axiom. By Theorems 5 and 6, the inclusion can be transformed into the radical membership problem which is decided by radical membership algorithm on polynomial ideals [5, 24]. That is to say, if there is an atomic formula in the succedent such that belongs to the radical of the ideal generated by polynomials in in the antecedent, that is, , then the sequent can be applied as an axiom. The radical membership algorithm is implemented in most computer algebra systems, such as the RadicalMembership command in Maple. The discussion on computer algebra systems is not in the scope of this paper.

5.2. Rules for Logical Operators

The rules in are used to handle standard logical operators. There are two cases for the appearance of each logical operator, and each logical operator needs dual rules (left rule and right rule):

Rules are standard for propositional dynamic logic. These rules decompose formulas with propositional structures into smaller formulas with less logical operators. Rules and are dual and aim to reduce the negative operator . Rule just replaces the symbol with a comma, since formulas are combined conjunctively in antecedents of sequents by the definition of sequents. Rule branches the sequent containing the operator in the succedent into two sequents, since conjuncts in the succedent can be proved separately due to the semantics of sequents. Dually, rule is similar to and is similar to according to the semantics of sequents. Rule derives from rules and by the logical equivalence of and . Similarly, rule is derived from rules and .

5.3. Rules for Quantifiers

Recall that variables of occurring in an algebraic program are bound to modalities. We assume that each modality-bound variable is not bound to any quantifier. A variable is free if it is not bound to modalities and quantifiers.

Definition 17 (substitution). A substitution of an algebraic assertion or a formula for a free variable is defined as a function which maps each object variable to a designated polynomial. Let be a polynomial; the result of substituting in an algebraic assertion for a variable is denoted by . The result of substituting in a formula for a variable is denoted by .

A substitution with the result is admissible for the formula if no variables in are bound in the formula . That is to say, free variables in are still free in the formula after applying an admissible substitution.

Rule and rule are the usual -rule in [7, 26], while and correspond to the -rule in [26]. Rules are complete for quantifiers of classic first-order logic. That is to say, everything about quantifiers of first-order logic can be derived with [7]:In , the variable is only bound to or . In and , is a new free variable. In and , is a new function symbol and are all free variables in and .

5.4. Rules for Modalities and Programs

The rules for modalities and programs are obtained from the rule schemata shown in , which can be applied in both sides of a sequent. Rule schemata in analyze the effect of modalities by reducing algebraic programs into simpler ones.

Ifis an instance of one rule schema in , thenare two inference rules of the calculus. There is one rule schema for each program structure () and modalities (, ).

As mentioned previously, algebraic programs are defined on . formulas, which are defined on , only assert properties on the final states of the runs of algebraic programs. Confusions about variable may emerge when an algebraic program needs to be lifted to a formula by rules in . For eliminating the confusion, variables of algebraic programs need be renumbered by the variable numbering procedure defined by the following definition when an algebraic program is lifted to a formula with rule and rule .

Definition 18 (variable numbering procedure). For each sequent , there always exists a procedure such that a sequent, which does not produce any confusion about variable, is obtained from by numbering all occurrences of variables.

Since every sequent is assumed to contain finite variables, numbering finite variables is easy and immediately leads to a variable numbering procedure. We assume that each sequent, which produces variable confusions, is implicitly numbered by the variable numbering procedure. For the sake of succinctness, the description of this procedure is not shown in detail. However, the effect of this procedure is illustrated by Example 19:

In and , denotes an algebraic assertion on . In and , denotes an algebraic assertion on . Variables bound to are denoted by .

Example 19. Consider the sequentIt would have produced confusion of the variables and if we applied rules and directly. After doing the variable numbering procedure, we get the following sequent:which produces no confusions when applying and .

Rules and are used to deal with assignment programs in and . The basic idea of and is transforming an formula with assignment programs into a standard first-order formula by lifting assignment programs to logical formulas. expresses that the formula always holds after executing the assignment program , if implies for all values of variables bound to while expresses that holds for some execution of , if both and hold for some value for variables bound to . Both and properly reflect the underlying logical principle that formulas with assignment programs can be transformed into quantified formulas. The rules and can be understood in the same way as in [15], except that the logical formula of test is replaced with a guard specified by an algebraic assertion on .

Rules are used to decompose the structure of programs into simpler programs. In order to prove the sequential compositions of programs, nested modalities, which are obtained by decomposing sequential compositions, have to be proved by -. Nondeterministic choices are proved by proving the conjunction by or disjunction by of its alternatives. and are the usual iteration rules in dynamic logic [15], which unfold loops.

5.5. Miscellaneous Rules

Besides the rules mentioned previously, some miscellaneous rules are necessary to our proof system. There are several types of rules listed in . The first type is the usual generalization rules ( and ) which allow to derive and from .

is the usual cut rule [27] which does not make our proof system prove more theorems but just allows the proofs to be shorter and simpler. states that when a formula can be concluded in the context and can also serve as a premise for concluding other formulas, then the formula can be cut out from the context. However, when searching a proof bottom-up with the cut rule, it requires one to guess the auxiliary formula .

Rule is a variant of the usual induction rule with the inductive invariant [15]. It expresses that the invariant will be true after any number of iterations of , if is true in the current state and is still true after the execution of when holds for all bound variables of . Rule transforms a finite set of atomic formulas with an empty zero set into the Boolean value . Whether atomic formulas have an empty zero set is decided by Theorem 7. Consider in denotes all variables bound to the algebraic program . In rule formulas are atomic such that they have an empty zero set.

6. Verification Example

Reasoning about the safety property of the train control system, which is formulated by (17), is shown in Figures 2–4. Remark that we have assumed the parameter is constant; that is, the time is discrete and modelled by . In addition, the train evolves its velocity per and keeps the velocity fixed in each . We start by writing the safety property into the proof obligation:We use the rule to eliminate the iteration operator and split the sequent into two branches by applying rule . The left branch derives the open sequent from by applying . Recall that by the semantics of sequent the proof obligation is valid if all premises are valid. Hence (24) is not valid if is not valid. In other words,which makes valid must be initially guaranteed in order to make (24) valid.

Figure 2: Verification of the train control system.

Figure 3: Proof of the right branch.

Figure 4: The rest of proof.

The proof of the right branch () goes on as shown in Figure 2. Since there are no free variables in , we replace each bound variable with a constant when the rule is applied. Proving the sequent is to prove both and (denoted by in Figure 2).

The proof of the sequent () is shown in Figure 3. For notional convenience, the notions , , are are introduced as follows: At the end of the proof in Figure 3, we obtain the sequentwhere denotes the initial velocity and denotes the final velocity after executing program . Since we have known that the initial velocity does not equal 11 according to (25), the right side of (27) is false. Hence the left side of (27) should be unsatisfiable to make sequent (27) valid. If we treat , and as parameters of the train, then is concluded from by eliminating variables except . If the assertion is not satisfied, sequent (27) will be valid. That meansimplies .

The proof of the sequent is similar to . In the same way, we get the same assertion:which implies . Hence, the safety property on the train control system specified by (17) is valid if the requirements specified by (25), (28), and (29) are satisfied; that is,

7. Soundness and Incompleteness

7.1. Soundness

In this section, we prove that the calculus is sound; that is, verification with the calculus always produces correct results.

Lemma 20. Given a formula , two interpretations , , assignments , , and states , , if , , and , , agree on all free variables of , then if and only if .

Proof. This lemma can be proved by a simple induction principle [28] on the structures of algebraic programs and formulas as in Section 4.2 using the semantics of algebraic programs and formula satisfaction.

The soundness of the calculus is shown by the following theorem, which says that all rules preserve the validity of sequents.

Theorem 21. For all rules and rule schemata listed in –, if all premises of a rule are valid sequents which are true in all states for all interpretations, then the conclusion is a valid sequent.

Proof. We start by giving the proof of special rules for calculus such as , , , , and . The rest of the rules are proved in an immediate way which can be easily found in [15, 26, 28] and thus are skipped over here. (i)Rule is a sound rule for axioms. Let be an interpretation, an assignment, and a state with . Since the zero set of in the antecedent of the conclusion is a subset of the zero set of in the succedent, that is, , we can conclude that . Then we conclude that by the definition of . According to the semantics of sequents is true for all and can be applied as an axiom.(ii)Rule is sound. For any , , with , we choose as the witness of such that the value of in is assigned to the bound variable in . Then can be concluded. The proof of is trivial since the premise and the conclusion contain the common formula .(iii)The soundness proof of is shown as follows. Assume that there are , such that for some the formula is true; that is, . We can conclude that by choosing the value of as the witness of . The soundness proof of is dual.(iv) is sound. Assume that there are , such that for all assignments the formula implies ; that is, . Since all bound variables in the modality are denoted by , we can conclude that for all with by the definition of semantics of and Lemma 20. Then is concluded.(v) is sound. Assume that there are , such that for some assignment the formula is true; that is, . We can conclude that with by the definition of . Then is concluded by Lemma 20. Hence we can conclude that .(vi) is sound. Since the zero set of atomic formulas is empty, there does not exist a state such that by the satisfaction of formulas. So we can conclude that the antecedent is unsatisfiable and is equivalent to .(vii)Rule schema is sound. For any , , with , we conclude that for all states with by Lemma 20. Hence we can further conclude that by the semantics of .

7.2. Incompleteness

The following theorem shows the inherent incompleteness of calculus.

Theorem 22. The calculus is inherently incomplete.

Proof. This theorem is proved by showing that the Peano arithmetic producing natural numbers is definable in . Natural numbers are definable in modalities using iterations:Hence the incompleteness theorem of Gödel [29] can be applied in calculus. Hence we immediately conclude that the calculus is incomplete.

8. Conclusions and Future Work

In this paper, we present a deductive approach for reasoning about algebraic transition system. This approach models algebraic transition systems as algebraic programs of , which is obtained by allowing algebraic assertions in dynamic logic. The properties of algebraic transition systems are formalized as formulas with our method. We explain the semantics of algebraic programs in as transition relations of algebraic transition systems and define the satisfaction of formulas zero sets of polynomials. A proof system for , called calculus, is constructed for reasoning about algebraic transition systems. The calculus is proved to be sound and is illustrated by the verification of the safety property of the train control system.

Our approach combines mathematical procedures on polynomial ideal theory with the deductive verification by customizing special rules for handling algebraic programs. The introduction of mathematical procedures enhances the reasoning power of our proof system. However proofs of properties related to iterations and quantifiers may be tedious and ineffective in complex cases. Future work includes a closer investigation for effective rules of iterations and quantifiers, for example, the invariant method [4, 30–32] and quantifiers elimination [33–35]. On the other hand, there are properties which cannot be formalized as the formulas such as properties with inequalities, since formulas are defined with algebraic assertions which actually are polynomial equations. In addition to the future work, more general formulas should include inequalities and more complex structures, such as differential equations for specifying hybrid systems.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

The authors would like to thank the anonymous reviewers for their constructive comments and suggestion. This work is supported by the National Natural Science Foundation of China under Grants nos. 11371003 and 11461006, the Natural Science Foundation of Guangxi under Grants nos. 2011GXNSFA018154, 2012GXNSFGA060003, and 2014GXNSFAA118359, the Science and Technology Foundation of Guangxi under Grant no. 10169-1, and the Scientific Research Project no. 201012MS274 from Guangxi Education Department.